PhantomCard Android Trojan Exploits NFC for Fraud in Brazil

Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.

WhatsApp patched a zero-day vulnerability (CVE-2025-55177) in its messaging apps for Apple iOS and macOS. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The issue was exploited in conjunction with a recently disclosed Apple flaw (CVE-2025-43300) in targeted zero-day attacks. WhatsApp notified less than 200 users who may have been targeted as part of the spyware campaign. The vulnerability relates to insufficient authorization of linked device synchronization messages. The exploitation involved chaining the WhatsApp flaw with the Apple vulnerability, enabling sophisticated attacks against specific users. The CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog and is advising federal agencies to apply mitigations by September 23, 2025.

A new campaign has been discovered distributing Brokewell Android malware through fake TradingView ads on Meta’s advertising platforms. The campaign targets cryptocurrency assets and has been active since at least July 22, 2025. The malware, which has been active since early 2024, features extensive capabilities including data theft, remote monitoring, and device control. The campaign uses localized ads and a malicious APK file to infect Android devices. The malware mimics an Android update request to steal device PINs and has a broad set of tools for monitoring, controlling, and stealing sensitive information. It targets cryptocurrency wallets, Google Authenticator codes, and banking credentials. The campaign is part of a larger operation that previously targeted Windows users through Facebook ads impersonating well-known brands. The campaign has run at least 75 malicious ads since July 22, 2025, reaching tens of thousands of users in the European Union alone.

A cybercrime campaign using malvertising to distribute a new information stealer called TamperedChef has been discovered. The malware is disguised as a fake PDF editor, AppSuite PDF Editor, and is designed to steal sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with malicious capabilities activated on August 21, 2025. The malware operates as a backdoor, supporting various features for data exfiltration and system manipulation. The campaign involves multiple fraudulent websites promoting the PDF editor, which, once installed, makes covert requests to an external server to drop the PDF editor program and set up persistence on the host. The malware gathers information about installed security products and attempts to terminate web browsers to access sensitive data. The campaign includes more than 50 domains and apps signed with fraudulent certificates from at least four companies. The threat actor has been active since at least August 2024, promoting other tools like OneStart and Epibrowser, which can turn hosts into residential proxies.

A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to display extortion messages. This variant can deploy full-screen ransomware overlays, steal credentials, and execute 107 remote commands, including capturing user gestures and mimicking NFC and Google Pay interfaces. HOOK is distributed through phishing websites, GitHub repositories, and other malicious channels, posing a significant risk to financial institutions and users. The malware is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked. The new variant includes features to send SMS messages, stream the victim's screen, capture photos, and steal cryptocurrency wallet information. The evolution of HOOK highlights the convergence of banking trojans with spyware and ransomware tactics.